Hey everyone! I'm currently working with a DevBox pool and I'm trying to figure out how to assign a managed identity to the machines within this pool. The goal is to enable developers to use the command `az login --identity` similarly to how they would on an Azure VM. This would facilitate the use of "DefaultAzureCredentials" that link to a managed identity, which can be important for workflows involving federated credentials and app registrations. Without this, developers are stuck with their personal identities, which are not usable as issuers in such scenarios. Is there any way to assign a managed identity to a DevBox pool so that it can be utilized inside each individual devbox?
3 Answers
The DevBoxes already have their own identity in Entra, each with a unique machine account. If a user runs that login command, it defaults to their user context, which can complicate things. Have you considered just giving users the necessary rights instead of using a shared account?
I haven’t used DevBoxes, but they seem similar to VMs in a VMSS. You should be able to add the identity by finding the right abstraction. Just be cautious; if this solution feels outside intended service boundaries, rethinking the problem might be worthwhile.
It’s built on Windows 365. The devices are managed through Intune, so they provide a structured environment.
I’m not totally clear on the need for all developers to share the same identity. To me, that raises a few red flags, and I’d personally be concerned about potential misuse.
These are locked test tenants. The devs need tokens for a multi-tenant app in this setup. Users can't exchange tokens in client assertion flows with their personal tokens, so using a managed identity reduces risk in this test scenario.
In this case, users can’t exchange their tokens in a workload identity federation scenario, so the shared msi helps devs run their local setups and request tokens for the multi-tenant app.